Unrated severityNVD Advisory· Published Jun 19, 2025· Updated Jun 20, 2025
AI Engine 2.8.0 - 2.8.3 - Authenticated (Subscriber+) Insufficient Authorization to Privilege Escalation via MCP
CVE-2025-5071
Description
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Meow_MWAI_Labs_MCP::can_access_mcp' function in versions 2.8.0 to 2.8.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like 'wp_create_user', 'wp_update_user' and 'wp_update_option', which can be used for privilege escalation, and 'wp_update_post', 'wp_delete_post', 'wp_update_comment' and 'wp_delete_comment', which can be used to edit and delete posts and comments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- tigroumeow/AI Enginev5Range: 2.8.0
Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.